Skip to content

fix(security): bump flatted to 3.4.2 (ENG-13143)#144

Merged
andriy-sudo merged 1 commit intomainfrom
andriy/ENG-13143-fix-flatted-cve-2026-33228
Mar 23, 2026
Merged

fix(security): bump flatted to 3.4.2 (ENG-13143)#144
andriy-sudo merged 1 commit intomainfrom
andriy/ENG-13143-fix-flatted-cve-2026-33228

Conversation

@andriy-sudo
Copy link
Contributor

@andriy-sudo andriy-sudo commented Mar 22, 2026

Summary

Bumps flatted from 3.3.3 → 3.4.2 via overrides in examples/js/package.json to fix a high-severity prototype pollution vulnerability.

Fixes: ENG-13143

Vulnerability Details

Package Old New Advisory CVSS Status
flatted 3.3.3 3.4.2 GHSA-rf6f-7fwh-wjgh (CVE-2026-33228) High ✅ Fixed
flatted 3.3.3 3.4.2 GHSA-25h7-pfq9-p65f High ✅ Fixed (bonus — requires 3.3.4+)

GHSA-rf6f-7fwh-wjgh: flatted.parse() allows attacker-controlled string keys like __proto__ to traverse the prototype chain, leaking a live reference to Array.prototype to the consumer — enabling global prototype pollution, DoS, or potential RCE.

flatted is a transitive dep: eslintfile-entry-cacheflat-cache@3.2.0flatted@^3.2.9. Since flat-cache pins ^3.2.9, an overrides entry is needed to force ^3.4.2.

Test Plan

  • CI vulnerability-check passes
  • CI SAST, TruffleHog, Pre-commit pass
  • @KateZhang98 to verify JS examples run cleanly

@andriy-sudo
fix(security): bump flatted to 3.4.2 (ENG-13143)
d1ac339 
- flatted 3.3.3 → 3.4.2 via overrides in examples/js/package.json
  (GHSA-rf6f-7fwh-wjgh, CVE-2026-33228, HIGH) Prototype Pollution via parse()
  Also resolves GHSA-25h7-pfq9-p65f (DoS via unbounded recursion, fixed 3.3.4)
@andriy-sudo andriy-sudo requested a review from KateZhang98 March 22, 2026 08:31
@coderabbitai
Copy link

coderabbitai bot commented Mar 22, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c31373f2-fa24-49d6-9129-98484e33c778

📥 Commits

Reviewing files that changed from the base of the PR and between 77f121f and d1ac339.

⛔ Files ignored due to path filters (1)
  • examples/js/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • examples/js/package.json
📝 Walkthrough

Walkthrough

The pull request adds a dependency override entry to examples/js/package.json. Specifically, it introduces an overrides.flatted configuration pinned to version ^3.4.2. This override joins existing override rules for axios (>=1.13.5) and minimatch (^3.1.3). The modification ensures that the flatted dependency resolves to the specified version constraint when the package is installed, regardless of what version other dependencies might request.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title directly reflects the main change: bumping flatted to a specific version to fix a security vulnerability, which aligns with the core change in the PR.
Description check ✅ Passed The description is well-related to the changeset, providing detailed context about the vulnerability being fixed and the reason for the version bump.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/ENG-13143-fix-flatted-cve-2026-33228

Comment @coderabbitai help to get the list of available commands and usage tips.

@andriy-sudo andriy-sudo merged commit 100fb17 into main Mar 23, 2026
4 checks passed
@andriy-sudo andriy-sudo deleted the andriy/ENG-13143-fix-flatted-cve-2026-33228 branch March 23, 2026 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KateZhang98 KateZhang98 KateZhang98 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andriy-sudo @KateZhang98